The Point to Point Protocol over Ethernet (PPPoE) is a method for sending PPP packets in Ethernet frames. The Point to Point Protocol over ATM (PPPoA) is typically run on ATM networks, such as those found in the UK and Belgium.

Typically this means you can establish a connection with your ISP using just a standard Ethernet card and Ethernet-based DSL modem (as opposed to a USB-only modem).

If you have a modem which speaks PPPoE/PPPoA, it is possible to configure the modem to do the connecting. Alternatively, if the modem has a `bridge' mode, it is possible to enable this and have the modem "pass through" the packets to a machine running PPPoE software (see below).

The main software interface to PPPoE/PPPoA on OpenBSD is pppoe(8), which is a userland implementation (in much the same way that we described ppp(8), above). A kernel PPPoE implementation, pppoe(4), has been incorporated into OpenBSD.
=================================================

With reference to the bolded paragraph above, is it more secure to allow OpenBSD to handle PPPoE authentication etc. (by setting modem to bridge mode), or is it better to allow the ADSL router/modem to handle all the PPPoE authentication stuff?

Inase of NAT, dialing from modem is more secure cause it will be assigned live ip and your machine will be on private ip, behind nat.

usually pppoe dialing from machines/devices is more stable than dialing from cheap adsl modems. unless you have some modem like Speedtouch/Alcatel.

I work in a broadband ISP and many times we configure adsl modems in bridge mode and sometimes even we dont use any authentication method, cause alot of modems/devices/routers have not much good pppoe implementation.

Inase of NAT, dialing from modem is more secure cause it will be assigned live ip and your machine will be on private ip, behind nat.

a very basic pf ruleset on the pppoe machine would more than make up for that and almost certainly be more secure than the NAT provided by the modem. if you're willing to put a little effort into it you can do some pretty cool things (bridging one interface to a routed block, nat'ing another to an internal space, etc). i'd recommend "The Book of PF" by Hansteen for inspiration. it's cheap and decent.

Quote:

Originally Posted by osman

usually pppoe dialing from machines/devices is more stable than dialing from cheap adsl modems. unless you have some modem like Speedtouch/Alcatel.

and this is the best reason to do it. openbsd's kernel pppoe implementation is considerably more robust than most modems.

do you think security would be (slightly) improved if the openbsd box was behind the modem's NAT, with PF further protecting openbsd box?

sorry if that sounded confusing - what i meant was would having the openbsd box sitting behind the modem's NAT provide a second layer of security since the openbsd box isn't allocated an external IP address? so in effect, the internal LAN would be behind a "double-NAT"... or have i missed something?

im not too concerned about my modem's pppoe because it seems to be quite robust. whenever i lose ADSL line sync, the modem's pppoe/pppoa would automagically reconnect without fail. again, please correct me if i have missed something here as well.

It all depends on what your OpenBSD machine is going to do. If it is already a firewall/nat, I personally think adding another NAT behind is useless and only a management hassle... Otherwise, if you don't have a "front" firewall nor a NAT, the additional layer might be useful.

__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction."

well since the openbsd box is acting as the firewall/nat/gateway, i guess i should set the modem to bridge mode. i gather that since the modem's firmwire isn't audited at all (compared to openbsd), there might be many (exploitable) bugs that im just unaware of. in the worst case, the username/password could be compromised from buggy firmware on the modem, right?

In the past i run OpenBSD PPPOE but i switched to modem PPPOE.
A good modem let you route all the traffic, so there is no NAT between the modem and the *BSD box.
You can the protect your BSD box easy with pf, also VPN with IPSEC works great behind a routing modem.

Two reason for me to switch from OpenBSD PPPOE to the modem PPPOE.

My provider beaks the line every 24 hours so my postfix apache and other deamons didn't work as expected.
I could bind them to a dummy or other interface and redirect with pf, but this hasn't stop the trouble.

In the past i run OpenBSD PPPOE but i switched to modem PPPOE.
A good modem let you route all the traffic, so there is no NAT between the modem and the *BSD box.
You can the protect your BSD box easy with pf, also VPN with IPSEC works great behind a routing modem.

Two reason for me to switch from OpenBSD PPPOE to the modem PPPOE.

My provider beaks the line every 24 hours so my postfix apache and other deamons didn't work as expected.
I could bind them to a dummy or other interface and redirect with pf, but this hasn't stop the trouble.